Many-To-One Mappings Rules <rules>

Overview

The <rules> element of the <add> element specifies criteria for mapping client certificates with IIS so that many clients can use one certificate.

There are two fields from client certificates that can be used as criteria for many-to-one rules:

Issuer - This field specifies information about the certification authority (CA) that issued the client certificate.

Subject - This field specifies information about the entity to whom the client certificate was issued.

Each of these fields can contain common LDAP sub fields; for example:

CN = commonName (for example, "Nancy Davolio")

OU = organizationalUnitName (for example, "Sales")

O = organizationName (for example, "Contoso")

L = localityName (for example, "Redmond")

S = stateOrProvinceName (for example, "WA")

C = countryName (for example, "US")

To create a mapping, you create a rule based on a field/subfield pair for a specific value. For example, you could create a rule that matched the issuer's O subfield with Contoso to allow access to all clients with certificates that were issued by the Contoso CA. This effectively eliminates client connections from any clients that are not part of the Contoso organization.

How To

There is no user interface for configuring IIS Client Certificate Mapping authentication for IIS 7. For examples of how to configure IIS Client Certificate Mapping authentication programmatically, see the Code Samples section of this document.

Note: You must be sure to set the commit parameter to apphost when you use AppCmd.exe to configure these settings. This commits the configuration settings to the appropriate location section in the ApplicationHost.config file.